Questions tagged [csrf-protection]

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Web sites have various CSRF countermeasures available:

  • Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions. This technique is commonly referred to as the Synchronizer Token Pattern.
  • Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
  • Limiting the lifetime of session cookies
  • Ensuring that there is no clientaccesspolicy.xml file granting unintended access to Silverlight controls
  • Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies
  • Verifying that the request's header contains a X-Requested-With (used by Ruby on Rails before v2.0 and Django before v1.2.5), or checking the HTTP Referer header and/or HTTP Origin header. These protections have been proven insecure under a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website, hence allowing a forged request.

Links:

712 questions
15
votes
4 answers

How to protect against CSRF on a static site?

I have a static website, being served from a CDN, that communicates with an API via AJAX. How do I protect against CSRF? Since I do not have control over how the static website is served, I cannot generate a CSRF token when someone loads my static…
Justin
  • 3,418
  • 3
  • 27
  • 37
15
votes
1 answer

Handling CSRF attacks from AWS Lambda?

Normally, a csrf token is generated by the server and then sent to the client. When the client submits a form, the token is passed back to the server, which then gets verified. If I am just using API Gateway and Lambda, how would I ensure that all…
15
votes
1 answer

Why do browsers allow CSRF?

I am pretty new to web security, and as I read more about the different attack vectors, my mind boggles that they are allowed in the first place. It's like the web was designed with a broken security model and to be vulnerable. I am also amazed at…
aaa90210
  • 11,295
  • 13
  • 51
  • 88
14
votes
2 answers

JQuery + AJAX + Django = CSRF ?

Possible Duplicate: "CSRF token missing or incorrect" while post parameter via AJAX in Django I wanted to send login data by AJAX to authenticate user, but it wasn't possible because of CSRF. Could You tell me what to add to my code to make it…
Jazi
  • 6,569
  • 13
  • 60
  • 92
14
votes
3 answers

Steal CSRF token

I've read other questions on Stack Overflow but didn't find a clear answer to this question: What prevents the attacker to steal the user's CSRF token via JS? Can't he just find the CSRF element and get it's value with JS? I am not very familiar…
CuriousGuy
  • 1,545
  • 3
  • 20
  • 42
13
votes
2 answers

AntiForgeryToken invalid after sign in

I have a form which the user can post without loging in. If however his email is recognized a password is required. The password form is validated over Ajax and if successfull the main form is submitted. Both forms require a valid…
Martin
  • 2,956
  • 7
  • 30
  • 59
13
votes
2 answers

Security of storing Bearer token in cookies

My SPA uses React as front end and laravel API as backend. When the user logs in (via axios and api), the api returns an access (Bearer token) as response. I use the react-cookie framework to store the access token as cookie in the Browser. This…
13
votes
2 answers

customer authenticator + form_login options break all csrf tokens

I have a Symfony 3.3.13 system with various forms. To achieve "deep-linking" in these forms, ie. being able to click on an email link, login and then be redirected to the form I have added the following changes: config.yml framework: secret: …
jdog
  • 2,465
  • 6
  • 40
  • 74
13
votes
4 answers

Django check CSRF token manually

I am implementing an API that works either with an API key, or with a CSRF token. The goal is for it to be usable either by a web app (protected by CSRF) or by a third party application (protected by API key). Basically on each request (all via…
Leah Sapan
  • 3,621
  • 7
  • 33
  • 57
12
votes
2 answers

How JSF 2.0 prevents CSRF

I am researching stuff I hear regularly that when doing a webapp in JSF 2.0 you are already protected from crossite - scripting and - request forgery. The following excerpt from a SO post confirms this: In JSF 2.0 this has been improved by using a…
Leanne
  • 121
  • 1
  • 1
  • 3
12
votes
1 answer

how to generate and validate csrf tokens

what is the best way to generate a csrf token and verify. From what i have been able to gather, even if you have a hidden form field in a "post" form a hacker can simply get that form using ajax, take the csrf token and send another request to the…
Amit
  • 3,952
  • 7
  • 46
  • 80
12
votes
1 answer

GraphQL and CSRF protection

I read a lot around: https://github.com/pillarjs/understanding-csrf https://security.stackexchange.com/questions/10227/csrf-with-json-post Are JSON web services vulnerable to CSRF attacks? (Nothing on the ApolloServer site:…
Fred Hors
  • 3,258
  • 3
  • 25
  • 71
12
votes
2 answers

CSRF is only checked when authenticated in DRF?

TLDR; It seems that my POSTs (to DRF endpoints) are only CSRF protected, if the client has an authenticated session. This is wrong, and leaves the application option to login CSRF attacks. How can I fix this? I'm starting to build a django rest…
12
votes
3 answers

JSON API and CSRF

I'm developing a web API. authentication is through cookies. All endpoints receive parameters through JSON in the request body. Do I need to implement a CSRF token to protect them? How can this be exploitable? Is it possible to send JSON through a…
Pipe
  • 2,379
  • 2
  • 19
  • 33
12
votes
4 answers

Symfony 4 - how to add csrf token without building form?

I am reading tutorial here https://symfony.com/doc/current/form/csrf_protection.html how to add csrf token. It says to use form_end() in the template. But this is not working, gives error: Type error: Too few arguments to function …
Dariux
  • 3,953
  • 9
  • 43
  • 69
1
2
3
47 48